Bug 43977 - Information leak by unprotected meta.json
Information leak by unprotected meta.json
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Alexander Kläser
Florian Best
: interim-4
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-20 10:28 CET by Erik Damrose
Modified: 2017-04-04 18:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments
patch (1.68 KB, patch)
2017-03-23 13:12 CET, Florian Best
Details | Diff
Screenshot (27.04 KB, image/png)
2017-03-24 14:06 CET, Florian Best
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2017-03-20 10:28:49 CET
The UCS systems meta.json is available unprotected on UCS servers: http://<fqdn>/univention/meta.json

The file currently shows possible sensitive information. It was extended multiple times during UCS 4.2 development already. I see the risk that more system information is added to the file, without seeing the consequences. The file should not be available without authentication.

Currently it shows among other things:
UCS version + errata level
Server role
A paid license is installed
A reboot is required (It is possible that a vulnerable kernel version is active)
Comment 1 Stefan Gohmann univentionstaff 2017-03-22 08:15:22 CET
Which systems need access? Is it possible to limit the access to members of the group 'DC Backup Hosts'?
Comment 2 Alexander Kläser univentionstaff 2017-03-23 09:31:15 CET
AFAIS, the "easiest" strategy would be to move the UCR template logic into the UMC server (e.g., /univention/get/meta-info) and return a strictly narrowed down version of the information for the case that one is not logged in. If logged in, we can return the full version. This has the advantage that we can still include this information very early in config.js. Requesting the data (e.g., via /univention/get/ucr) at a later point would be quite a bit of work as there are various places ATM which expect that the meta data is loaded at a very early stage.
Comment 3 Florian Best univentionstaff 2017-03-23 13:12:20 CET
Created attachment 8628 [details]
patch

A patch for the UMC-Server which serves different files depending on the login state.
Comment 4 Alexander Kläser univentionstaff 2017-03-23 19:13:00 CET
Fixed. I moved meta.json into univention-management-console at /usr/share/univention-management-console. (No special clean-up handling for this move required as meta.json had been added in UCS 4.2. ... after a package update there is probably still the old meta.json at /var/www/univention left.) The UMC server reads now be default the meta.json and adds additional (sensitive) if one is logged in.

univention-system-setup (10.0.10-7):
r78237 | Bug #43977: Simplify meta data reloading
r78234 | Bug #43977: Adapt reading of meta information

univention-management-console (9.0.72-3):
r78235 | Bug #43977: Move UUID and license base into get/meta command
r78233 | Bug #43977: Handle meta info via UMC server + correct login.onLogin()

univention-web (1.0.40-9):
r78236 | Bug #43977: Simplify meta data handling for tools.status()
r78232 | Bug #43977: Move meta.json into UMC server + adjust handling
Comment 5 Florian Best univentionstaff 2017-03-24 13:45:07 CET
REOPEN: The certificate menu entry doesn't work on a DC Slave anymore.

REOPEN: The whole page doesn't load anymore if the UMC-Server is down…

What about this?
management/univention-web/js/piwik.js:»   »   »   piwikTracker.setCustomVariable(1, 'ucsVersion', tools.status('ucsVersion'), 'visit');
Comment 6 Florian Best univentionstaff 2017-03-24 14:06:46 CET
Created attachment 8638 [details]
Screenshot

I think the not anymore shown name of the startsite has to do with this changes?
Also why is the menu placed underneath of the title? Which bug is this?
Comment 7 Stefan Gohmann univentionstaff 2017-03-24 22:43:25 CET
I'm unable to download the root certificate if I'm not logged in. I get the following link:
 http://undefined/ucs-root-ca.crt
Comment 8 Stefan Gohmann univentionstaff 2017-03-26 17:10:49 CEST
The server overview is only shown if the user is logged on.
Comment 9 Florian Best univentionstaff 2017-03-27 16:44:31 CEST
dojo.js.uncompressed.js:6483 ReferenceError: tools is not defined(…) "ReferenceError: tools is not defined
    at constructor (https://xen7.school.local/univention/js/dojo/dojo.js:1724:444)
    at new <anonymous> (https://xen7.school.local/univention/js/dojo/dojo.js:139:171)
    at Object.widget (https://xen7.school.local/univention/js/dojo/dojo.js:786:128)
    at Object.<anonymous> (https://xen7.school.local/univention/js/dojo/dojo.js:785:182)
    at Object.forEach (https://xen7.school.local/univention/js/dojo/dojo.js:57:112)
    at Object.widgets (https://xen7.school.local/univention/js/dojo/dojo.js:785:84)
    at buildRendering (https://xen7.school.local/univention/js/dojo/dojo.js:771:110)
    at create (https://xen7.school.local/univention/js/dojo/dojo.js:164:145)
    at postscript (https://xen7.school.local/univention/js/dojo/dojo.js:163:104)
    at new <anonymous> (https://xen7.school.local/univention/js/dojo/dojo.js:139:215)
    ----------------------------------------
    rejected at a (https://xen7.school.local/univention/js/dojo/dojo.js:85:197)
    at d (https://xen7.school.local/univention/js/dojo/dojo.js:84:456)
    at k (https://xen7.school.local/univention/js/dojo/dojo.js:84:223)
    at b.resolve (https://xen7.school.local/univention/js/dojo/dojo.js:86:296)
    at a (https://xen7.school.local/univention/js/dojo/dojo.js:85:171)
    at d (https://xen7.school.local/univention/js/dojo/dojo.js:84:437)
    at k (https://xen7.school.local/univention/js/dojo/dojo.js:84:223)
    at b.resolve (https://xen7.school.local/univention/js/dojo/dojo.js:86:296)
    at a (https://xen7.school.local/univention/js/dojo/dojo.js:85:171)
    at d (https://xen7.school.local/univention/js/dojo/dojo.js:84:437)
Comment 10 Alexander Kläser univentionstaff 2017-03-27 18:58:52 CEST
(In reply to Florian Best from comment #9)
> dojo.js.uncompressed.js:6483 ReferenceError: tools is not defined(…)
> "ReferenceError: tools is not defined
> [...]

I fixed this error in MultiUploader with the following commit:

univention-web (1.0.41-4):
r78364 | Bug #42235: Fix undefined reference "tools" in MultiUploader
Comment 11 Alexander Kläser univentionstaff 2017-03-28 14:36:21 CEST
(In reply to Florian Best from comment #5)
> REOPEN: The certificate menu entry doesn't work on a DC Slave anymore.

Fixed. The certificate links will be shown always on a DC master/slave and otherwise if one is logged  in.

> REOPEN: The whole page doesn't load anymore if the UMC-Server is down…

Fixed. I adjusted the umc/json module to use XHR requests and handle errors more gracefully.

> What about this?
> management/univention-web/js/piwik.js:»   »   »  
> piwikTracker.setCustomVariable(1, 'ucsVersion', tools.status('ucsVersion'),
> 'visit');

This is fine as ucsVersion is a session variable → this is part of Bug 43604 and is QAed there.

(In reply to Florian Best from comment #6)
> Created attachment 8638 [details]
> Screenshot
> 
> I think the not anymore shown name of the startsite has to do with this
> changes?

Fixed. I moved "hostname" back into meta.json.

> Also why is the menu placed underneath of the title? Which bug is this?

This has been fixed in some other commit.

(In reply to Stefan Gohmann from comment #7)
> I'm unable to download the root certificate if I'm not logged in. I get the
> following link:
>  http://undefined/ucs-root-ca.crt

Fixed, see above.

(In reply to Stefan Gohmann from comment #8)
> The server overview is only shown if the user is logged on.

Fixed, see above.


univention-management-console (9.0.77-4):
r78424 | Bug #43977: Add has_certificates to meta.json and adjust UCR dependencies
r78405 | Bug #43977: Move hostname into meta.json + adjust logging output

univention-web (1.0.42-3):
r78423 | Bug #43977: Only show links to certificates if URI can be deferred
r78422 | Bug #43977: Use dojo/request/xhr in umc/json to handle errors gracefully
Comment 12 Florian Best univentionstaff 2017-03-29 15:55:34 CEST
REOPEN: On a DC Slave there is no Certificates menu entry anymore.
There is also a exception when doing parser.parse() in config.js:

dojo.js.uncompressed.js:1893 Error: scriptError(…)
Comment 13 Florian Best univentionstaff 2017-03-29 16:03:31 CEST
(In reply to Florian Best from comment #12)
> REOPEN: On a DC Slave there is no Certificates menu entry anymore.
The menu is shown after a login. But this isn't good because one have to install the certificated before the initial login so that the password is not transmitted in plaintext over the network.
Comment 14 Alexander Kläser univentionstaff 2017-03-30 16:15:24 CEST
(In reply to Florian Best from comment #13)
> (In reply to Florian Best from comment #12)
> > REOPEN: On a DC Slave there is no Certificates menu entry anymore.
> The menu is shown after a login. But this isn't good because one have to
> install the certificated before the initial login so that the password is
> not transmitted in plaintext over the network.

As discussed, this behaviour is by design. As the ldap master is unknown unless you log in (due to security reasons), there cannot be any link to it. If you log in, this information is available an the link is shown.

(In reply to Florian Best from comment #12)
> [...]
> dojo.js.uncompressed.js:1893 Error: scriptError(…)

Hm, I had a bit of troubles debugging the exact problem. However, it this does not seem to be related to any of these changes. Apart from that, this error does not seem to change the intended behaviour of the web interface.
Comment 15 Florian Best univentionstaff 2017-03-30 17:56:42 CEST
OK, then.
Comment 16 Stefan Gohmann univentionstaff 2017-04-04 18:29:12 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".